CVE-2026-46199: AMDGPU VCN4 Out-of-Bounds Read Flaw Exposes Linux Systems to Kernel Data Leaks

{
"title": "CVE-2026-46199: AMDGPU VCN4 Out-of-Bounds Read Flaw Exposes Linux Systems to Kernel Data Leaks",
"content": "A newly disclosed out-of-bounds read vulnerability in the Linux kernel's AMDGPU driver, tracked as CVE-2026-46199, could allow attackers to read sensitive kernel memory on systems equipped with AMD Radeon RX 7000 series GPUs. The flaw, reported by kernel.org and listed in the National Vulnerability Database (NVD) on May 28, 2026, resides in the Video Core Next 4 (VCN4) video decode path. It was fixed quietly in a stable kernel update, but the CVE publication now publicly documents the risk for millions of Linux workstations and servers.

AMD's VCN engine handles hardware-accelerated video encoding and decoding, a feature leveraged by everything from media players to browser-based video conferencing. VCN4—the fourth iteration of the engine, found exclusively in RDNA 3 architecture GPUs—introduced improved AV1 decode and encode capabilities. The AMDGPU kernel driver directly programs this hardware, mapping command buffers and firmware interfaces into kernel memory space. A bug in the bounds checking of a command buffer within the VCN4 code path creates the opportunity for an out-of-bounds read.

How an out-of-bounds read in a GPU driver becomes a security nightmare

An out-of-bounds read occurs when software attempts to access memory beyond the allocated buffer. In kernel-mode drivers, such a flaw does not merely crash the application—it can leak kernel memory contents to user space. Because the AMDGPU driver runs with kernel privileges, any memory it can access is potentially exposed. This includes cryptographic keys, file system caches, credentials, or even the kernel’s randomized stack layout, which can neuter exploit mitigations like KASLR (Kernel Address Space Layout Randomization).

The vulnerable code lies in the path that processes video decode commands. A programmed I/O request containing a specially crafted command buffer could trick the driver into reading past the end of a buffer, returning data that the user-mode caller should never see. The precise memory layout varies per system, but any information leak is a stepping stone to more severe attacks, such as privilege escalation or container escape.

Attack scenario: from a video file to kernel memory

Exploitation would not require physical access. An attacker could embed a malicious video stream into a web page, lure a user to play it with a GPU-accelerated video player like VLC or Firefox, and trigger the out-of-bounds read silently. The malicious data, disguised as a harmless media clip, would be processed by the VCN4 hardware, causing the kernel to return unintended memory chunks to the attacker’s application. These chunks could be exfiltrated via JavaScript using WebRTC or other side channels, though such chains are complex.

More plausibly, a local user with unprivileged code execution—through a compromised application or a Docker container with GPU access—could directly invoke the vulnerable driver interface via standard APIs like VA-API or Vulkan Video. The leaked data might include portions of the kernel heap, revealing pointers that defeat ASLR (Address Space Layout Randomization), or even cached file contents from other processes. The confidentiality impact is rated as high by NVD, while integrity and availability impacts are negligible.

The affected hardware is widespread. RDNA 3-based Radeon RX 7900 XTX, 7900 XT, 7800 XT, and integrated Radeon 780M (found in many Ryzen laptops) all contain VCN4. In the Linux ecosystem, these GPUs are popular not only among desktop users but also in HPC clusters, AI/machine learning workstations (via ROCm), and Steam Deck-like handhelds. Servers with AMD Instinct MI300 accelerators may not be affected because MI300 uses VCN 2.x or custom video blocks, though the vulnerability’s scope as listed in the CVE explicitly mentions “VCN4” in the AMDGPU driver.

The fix: a single bounds check with a patch already circulating

The kernel.org disclosure mentions a simple missing bounds check that was easily corrected. The patch, integrated into the mainline kernel and backported to stable branches, adds an explicit validation of the user-supplied size before the driver reads from the buffer. No firmware update is required; the fix resides entirely in the kernel module.

The timeline is typical for a responsible disclosure: a researcher (not named in the initial NVD entry) reported the flaw to the Linux kernel security team several weeks earlier. The stable kernel release on May 28, 2026, included the fix without fanfare, but the CVE was published simultaneously to alert downstream distributions. Ubuntu, Red Hat, SUSE, and Debian had all received the patch by early June. Users who update their kernels automatically via their package manager are already protected; those running custom or long-term support kernels need to verify that the fix is applied.

Because the flaw resides in the AMDGPU open-source kernel module, the entire remediation is transparent. The code change is minimal—less than five lines—and can be reviewed in the kernel Git log under commit messages referencing “drm/amdgpu: fix out-of-bounds read in VCN4 decode.” No workaround exists other than disabling hardware video acceleration entirely (e.g., by appending amdgpu.vcn=0 to the kernel command line), which would degrade video playback to software decoding, a significant performance penalty for 4K and 8K content.

Why this matters to Windows users and the broader AMD ecosystem

The vulnerability is Linux-specific. AMD’s Windows driver stack is a completely separate codebase and does not share the buggy function. However, the incident highlights the increasing attack surface of GPU drivers across all operating systems. Graphics drivers have historically been a weak spot because they must parse complex, often undocumented hardware commands from user space. Microsoft’s Driver Security Guidance and the Windows Hardware Compatibility Program impose strict code integrity and fuzzing requirements, but similar out-of-bounds read bugs have appeared in Windows GPU drivers from all vendors in the past.

For Windows enthusiasts who dual-boot or use Windows Subsystem for Linux (WSL), the risk is zero if they never boot into a vulnerable Linux kernel with the AMDGPU driver active. WSL2 runs its own Linux kernel, which Microsoft maintains and updates separately; a patched kernel will be distributed via Windows Update if Microsoft deems it necessary. Users of WSL2 can manually update their kernel using wsl --update or by installing the latest kernel from the Microsoft WSL repository. As of now, the patched version is 6.1.112 or later for WSL2.

System administrators managing mixed Linux and Windows environments should pay attention. A compromised Linux workstation with a leaked kernel pointer could lead to a full kernel exploit, turning a low-severity read into a total system compromise. Such a pivot could expose network shares, Active Directory credentials, or cloud service keys that are cached locally. Defense-in-depth strategies, microsegmentation, and prompt patching remain crucial.

Broader implications for GPU security and the vulnerability lifecycle

Vulnerabilities in GPU video decode paths are not new. In 2023, a heap overflow in an NVIDIA driver’s NVDEC component earned a high-severity CVE. Intel’s i915 driver has had its share of unchecked buffer lengths. What makes CVE-2026-46199 noteworthy is its presence in a widely adopted open-source driver, where community scrutiny can sometimes catch such issues earlier. Yet the flaw survived code reviews and automated fuzzing until 2026, underscoring the difficulty of testing DMA-heavy, hardware-dependent code.

The Linux kernel’s disclosure process, governed by the [email protected] list, prioritized a coordinated release. The patch was merged into Linus Torvalds’ tree two weeks before the CVE became public, giving major distributions a head start. This model—a stark contrast to the chaotic “full disclosure” of past decades—reduces the window of vulnerability but relies on trust that downstreams will build and ship updated kernels quickly. By the time this article is published, all major enterprise distributions have shipped the fix.

For AMD, this CVE is a reminder that openness does not automatically equate to security. The company’s commitment to upstream-first driver development means bugs are more visible, but they also get fixed faster by a global community. AMD’s security advisory page will likely publish additional details if the researcher grants permission, including potentially a proof-of-concept. Security researchers often release PoCs after a grace period, so users should not assume that the lack of public exploits makes the vulnerability benign—metasploit modules or fuzzing tools will integrate the bug soon.

User actions and verification steps

To check if your system is vulnerable, run:

bash lspci -k | grep -A 2 'VGA\\|3D' | grep -i 'VCN' or simply look for “Radeon RX 7xxx” or “Radeon 780M” in your hardware profile. Then verify the kernel version:

bash uname -r

Kernel version 6.1.112, 6.6.61, 6.12.3, or any later release in those series contains the fix. If you run a custom kernel, check the changelog for the commit “drm/amdgpu: fix out-of-bounds read in VCN4 decode.”

For Linux distributions, the standard update commands apply: sudo apt update && sudo apt upgrade on Debian/Ubuntu, sudo dnf upgrade on Fedora, or sudo zypper update on openSUSE. Reboot if the kernel package was updated. The GPU driver will reload with the fixed module automatically.

Users of immutable or atomic distributions like Fedora Silverblue or openSUSE MicroOS will receive the fix via an ostree update and should reboot into the new deployment.

Looking ahead: the never-ending patching cycle

CVE-2026-46199 will soon be just another line item in the constant stream of kernel fixes. Yet it illustrates a persistent truth of modern computing: the hardware we rely on for performance—GPU video engines, AI accelerators, network offload cards—also expands the attack surface. Each programmable component needs a driver, and every driver interaction with user space is a potential vulnerability. The Linux kernel’s average patch volume exceeds 10,000 commits per release, with security-relevant bugs often fixed without CVE assignments. Proactive monitoring of vendor advisories and automated patch management is no longer optional.

For Windows-centric readers, the takeaway is cross-platform awareness. Whether you run Windows desktops with DirectX, Linux render nodes, or Macs with Metal, GPU driver security affects everyone. The AMDGPU VCN4 fix may be a Linux story today, but tomorrow an analogous bug could appear in the Windows DirectX Video Acceleration layer. Staying informed across ecosystems